Slashdot Mirror
Microsoft Taking Aggressive Steps Against Linux On ARM
New submitter Microlith writes "Microsoft has updated their WHQL certification requirements for Windows 8, and placed specific restrictions on ARM platforms that will make it impossible to install non-Microsoft operating systems on ARM devices, and make it impossible to turn off or customize such security. Choice quotes from the certification include from page 116, section 20: 'On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled' — which prevents users from customizing their security, and in section 21: 'Disabling Secure MUST NOT be possible on ARM systems' to prevent you from booting any other OSes."
As much as i hate to say it, time to get the Feds involved, again.
Forget piddly sanctions, or even a "breakup". Shut them down once and for all.
---- Booth was a patriot ----
Don't you mean iOS? My mac isn't locked down in the least, and in fact is more open than windows.
---- Booth was a patriot ----
The trick to being a good shill is to not have your diatribe prewritten to post as soon as the story goes from red to green.
It's a little too blatant otherwise.
MS is fine with all those junk-grade tablets, just that they don't want something like the N900 to pop up. They were able to kill that by all-but acquiring Nokia and making sure Elop would kill the N9.
So take your "not target market" or "find a device that suits you" complaints and stuff them, tyvm.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
And why not bitch at Apple for locking down OS X and iPhone's too?
But... WE DO BITCH AT APPLE FOR LOCKING DOWN OS X AND IPHONE TOO.
I don't understand if you're a troll, a shill, or simply an idiot. Microsoft is imposing this overly restrictive and anti-competitive measures on ARM hardware, in order for it to have WHQL certification, and you pretend to believe it is to stop malware? Really?
Seems these criminals have forgotten the last lesson in not behaving anti-competitively already. Time to fine them a few billions to make them remember.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Sir, you are either paid propagandist, or you have no idea what you are talking about.
The security we (Linux users) always wanted was supposed to be on software level, not on hardware level.
Doing anything like this on hardware level is definately anti-competitive.
He is a shill. Despicable. Just look at the posting time of the article and his comment. This was obviously pre-written.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
OS X doesn't stop you installing other operating systems. OS X even comes with a tool that will resize your existing partition, provide space for another OS, and Apple computers have a graphical boot menu out of the box for selecting the OS to boot.
I'm not sure about iOS devices. The older iPods didn't actively stop you from installing other operating systems (they just didn't support it, which is fair enough). If the new iPods / iPhones do lock the bootloader and prevent you from installing something else, then that would be something worth complaining about, although there are enough other reasons for wanting to avoid Apple's locked-down consumer product lines that it's probably quite low on the list.
I am TheRaven on Soylent News
Making it impossible to dual-boot your ARM device. Security for the boot sector is one thing, making it impossible to install another OS by choice is something else.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
The fact that you think that disabling "custom boot" on ARM makes Windows more secure is yet another indication that there is really no understanding of security in the Windows world. And Linux users haven't been "asking for" Microsoft to do anything; we don't really care. We just keep pointing out that Microsoft doesn't seem to understand security.
Yes, the fact that Microsoft's operating systems are such a failure on ARM: Microsoft is in effect subsidizing hardware in order to give their operating system a chance in the market on ARM; without such subsidies, they wouldn't have a chance. But it is just those subsidies that make the hardware attractive for Linux. In contrast, iPhone and iPod are unattractive targets for alternative operating systems because iOS is successful and Apple charges a premium for their devices.
Locking down the boot loader in that way doesn't improve security and only has one conceivable purpose: to keep out other operating systems, and it is a necesssary part of an attempt by Microsoft to gain market share for their otherwise unattractive operating systems by subsidizing the hardware.
If it would have had been only a security feature, there would be an SD-card in the device storing encryption keys for approved OS software manufactures. The SD-card could in this case be made read only and if the user wants to disable any tampering, he could glue it in the slot. A user could add additional approved keys (even his own keys) by placing the card with write enabled in another machine.
In this case, it would have only been about security. As it stands now the MS rules is to lock out competitors from the market.
"Civis Europaeus sum!"
That worked for them with netbooks.
You are forgetting one of the 10 commandments of propaganda: If you repeat it enough times, people will believe it is true.
And, as a bonus, you'll slowly drive anyone that actually has some grasp of the truth slowly bat-shit crazy thanks to the gas lighting effect; which makes them, and therefor their position, unattractive.
Any sufficiently advanced influence is indistinguishable from control.
Rubbish.
If it was about preventing malware on ARM it would allow installation of any operating system [i]except[/i] windows.
That's because Apple is a hardware company foremost. It works the other way with them. They don't want you installing their software on other hardware and work to prevent it. Microsoft is being forced into attacking linux on ARM in this way because they can't really compete against them any other way on that platform and they are desperate not to start losing market share even if they maintain their monopoly on pc architecture. MS knows that once linux really starts to take hold anywhere at all they are in danger everywhere.
The boot sector can be locked down by allowing the user to add keys manually. There is no need at all to tie it to a specific OS. Rather obvious and already in the spec.
Go away, nobody believes you.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If the new iPods / iPhones do lock the bootloader and prevent you from installing something else, then that would be something worth complaining about
They do. As do many (probably even the majority) of Android devices. And Symbian devices. And bloody well anything that runs on ARM! The number of locked ARM devices vastly outnumbers the number that are unlocked, or even have the ability to be officially unlocked. Should unlocked ARM devices be the norm? Yes. Is Microsoft's position the norm among every device and OS manufacturer? Also yes.
Also interesting to note is that the updated document specifically requires that UEFI Secure Boot settings can be modified by the end user, contrary to previous hooh-hah.
>> if you buy a Windows device
What is a windows device exactly? Microsoft marketing dept have invented this concept that Windows is somehow hardware. Its not. Windows is an OS. No more.
I buy computers (not Windows devices, or apple devices). I need them to do the things I want. Its my property. I can and should be able to do what I like with it.
They are in despair. They are too late in mobile market. They start to understand that, but they still have this strong hand mentality. They tried it with Windows Mobile - nope, didn't worked. They are tried with lot of different concepts - also wasted. Now the same with ARM notebooks/tablets.
They don't understand that it is too late. People has seen tomorrow without Microsoft. Tablet competition is very strong out there. What is your killer feature? Office? Who needs that? Email, web - it's all there, it's everywhere.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
I've been using Windows for a long time. I do not like Windows. Other's agree with me, people who use Windows do not like Windows. People who use Windows like the software they run on Windows.
Microsoft thinks that people LOVE Windows. That's why they created Windows CE, and that was a massive failure. People want to run their x86 software on the computer, and last time I checked Windows 8 ARM can not run x86 software, so your software collection is junk all of a sudden.
If you give most people a choice between Linux vs Windows, they will choose Windows. If you give them a choice between Windows that wont run their apps, and Linux that wont run their apps but at least already has a large library of software, then they will Choose Linux.
Not playing nice with MS means that they get bum deals on licenses for Windows machines, which major OEMs are selling.
This is my signature. There are many like it, but this one is mine.
It does not make sense. You can always allow the user to add another key, and you can give clear warning when they do. Preventing the user from adding another key is not a security feature. Period.
But I guess you are paid to post this nonsense here.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Microsoft will get dragged through the courts for anti-competitive behaviour once again. You'd think they'd have learnt their lesson from the whole IE bundling thing that cost them very serious money.
Even if the US gov is corrupt enough to let this slide, there's no way Microsoft will get away with this in the EU or anywhere else.
Bullshit. When OS X first came out, it only ran on PowerPC. It came with OpenFirmware, and which provided a graphical multiboot bootloader. When it was ported to Intel, Boot Camp was a separate download, now it's integrated.
I am TheRaven on Soylent News
There are plenty of phone/tablet devices with measures to explicitly prevent other OSes from being put in place. Telling is that the 'OS' in PC world is considered software and in the phone/tablet world they have sucessfully got people calling it 'firmware'. This market is trying to blur the division between the platform and the OS to significant success. Every 'OS' vendor is expected to compete by getting a partner to release hardware around the OS. That means less room for startups or grass-roots OS creation, only certain Android hardware devices are a viable target.
That market is a plethora of monolithic devices with no configurability in hardware or software. This is a huge step back from the state of x86 systems where so much is socketed and mixing and matching is possible by the consumer thanks to rigorous standards in place to make it all possible. The 'primary' targeted OS runs as well as the primary OS on any of these devices, and while an alternative OS may fail to integrate properly with the device (Linux-Vendor ACPI was a sore spot for eternity, better now), the user can make the tradeoffs if they choose.
XML is like violence. If it doesn't solve the problem, use more.
This has nothing to do with preventing the user from adding another OS key to their device. That is the thinly-veiled anti-competitive truth behind this. Also note that on x86, the user _is_ allowed to add another OS key. How is that?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, it worked for his first shill post in the other MS story, it was basically first post and still at +4, it was added up pretty instantly so I assume they also have a bunch of shill accounts to mod it up.
Live today, because you never know what tomorrow brings
Plain and simple, bullshit. It's a smoke screen. When malware manages to infect boot sector or equivalent, the attack comes from within the OS. Microsoft has every capability of treating writes to the boot area and EFI configuration as special and performing their own security checks to prevent 'unauthorized' writes to that area (going even beyond their permissions to also require signed code). It still regretably break things like Ubuntu's in-windows installer, but I would accept that wasn't their goal and I think the tradeoff is more defensible. Malware because the computer boots off removeable media 'accidentally' is pretty unlikely in EFI case (where OS forces the firmware to skip all that and go straight to boot loader unless user takes action). Attacks where someone maliciously mangles a system they have complete control of is not even a blip on the radar of malware (it may happen, but certainly nothing worth breaking an entire industry over). Incidentally, 'boot sector' type infections are relatively rare in the scheme of MS malware, most malware doesn't bother to infect the boot area, and still they are all over MS platforms.
Also keep in mind, MS is the *only* party who gets to control those keys. The users are not allowed to add new trusted keys. The hardware vendors are not allowed to put another vendor's keys instead of Microsoft's. The vendor *must* use MS key or no one's at all, they are forbidden from using the facility to the benefit of someone like Red Hat for example. The vendor gets in trouble with MS if they use the facility in a way that would prevent MS code from running. How the *hell* is that possibly considered right in the context of 'just improving their security'?
XML is like violence. If it doesn't solve the problem, use more.
Ah, the argumentation flowchart is revealed:
1. This is necessary for security
--> direct lie
2. MS does not have a monopoly on ARM
--> not relevant
3. Everybody else is doing it.
--> not relevant and not true
What next? MS really should have paid for some professionals here, not you clowns.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That's just it shill-boy.
They're not "simply going to another market".
They're adding stipulations to their credentialing process that REQUIRE hardware vendors to essentially lock out all forms of user choice for alternate OSes on their platform.
So if WidgetCo wants to sell their ARM-Widget 6000 with Windows on there, they have to lock the platform to the point where you CAN'T load the ARM-Widget 6000 with Android or another OS.
Essentially they're forcing hardware vendors to make an irrevocable choice about which market they're going to service instead of allowing them to service any/all of them.
That's quite clearly abuse.
Chas - The one, the only.
THANK GOD!!!
Considering your astroturf account is only 140 users ahead of OP astroturf account, I dont trust what you have to say either.
Be gone astroturfers.
I too am struck by the timing of the initial post, and the similarity of your id to that party's id... it does indeed suggest you're engaged in paid astroturfing for Microsoft.
The response to your 'question': Google doesn't lock down their devices; they leave that choice entirely to the manufacturers, some of whom choose to lock down, others who choose not to (e.g. Samsung, and Google itself).
If Google had as long and detailed a history of being as anti-competetive as Microsoft, they'd garner just as much hate as Microsoft. But Google is much better than Microsoft, both in this case and in longterm overall behavior.
Slashdot, can we have a system where people can be tagged as shills, not just per-comment but as a lingering account attribute?
- First they ignore you, then they laugh at you, then ???, then profit.
Also interesting to note is that the updated document specifically requires that UEFI Secure Boot settings can be modified by the end user, contrary to previous hooh-hah.
What updated document? This is the text:
MANDATORY: Enable/Disable Secure Boot.
On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.
Nothing else applies to ARM system. It. Must. Not. Be. Possible. Ever. In any way.
Live today, because you never know what tomorrow brings
a) His points are wrong, and rather obviously so, see rest of thread
b) He (and you) are obviously paid by MS to spread this FUD here
c) You are doing this so incompetently, even a young child can see it
d) After your purpose has been revealed, you keep at it, confirming the suspicion
Despicable and pathetic. Is MS to stingy to pay for good liars?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
His premise is entirely wrong. There are a number of ways to ensure the security of the boot sector from the software layer, locking it to one OS doesn't increase security beyond the fact that only one OS's flaws will be exploitable.
It's really a ridiculous attempt at justifying locking in a subset of arm chips to MS only.
They do. As do many (probably even the majority) of Android devices. And Symbian devices. And bloody well anything that runs on ARM! The number of locked ARM devices vastly outnumbers the number that are unlocked, or even have the ability to be officially unlocked. Should unlocked ARM devices be the norm? Yes. Is Microsoft's position the norm among every device and OS manufacturer? Also yes.
Number one Android devices manufacturer is Samsung, which didn't ever bother to lock their bootloaders. Quite the opposite, they contribute to CyanogenMod and ever hired its top developer. Maybe it's one of the reasons they are number one?
as anyone who has actually tried to build that pile of ass knows, the apple 'open source' project is complete horse shit. they use an incredibly obfuscated build system that makes it impossible for anyone except Apple to actually compile their projects.
that is why there are no open source operating systems based off the Darwin Kernel, except for the highly alpha-level PureDarwin , and the completely abandoned OpenDarwin -- here we are ten years after OsX, and PureDarwin only recently announced "The dawn of network and audio support" in their OS.
GNU Hurd and Haiku are both farther along the way to being usable Operating Systems than any open system based on Darwin.
Your argument is bogus. We are talking UEFI here. Why would something be acceptable or even desired on x86, yet on ARM it suddenly is necessary to do the same thing differently? Right, for business reasons, i.e. locking out the competition! And that is exactly what MS is trying to do here. Again.
Face it, you prepared "argumentation" strategy for spinning this is not working.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Nonsense. Rather obviously so.
Seems "everybody else is doing it" is really the last stance in your astroturfing strategy. This does not invalidate that MS is doing something blatantly anti-competitive here with zero technical reasons and zero security benefit. Allowing the user to add OS keys to the device they own and paid for is not a security risk, just a business risk. And that is why MS does not want that and pays you clowns to try to spin it differently.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Micorosft is finaly realising their dream of creating a TCPA compilant plataform, iOS and Android aren't getting any more open and the smartphone market is finaly big. Everything is good now for somebody to pull a "PC" on phones.
Create an extensible standard for ARM (we are near there already), sell a basic machine folowing that standard, then, sell extended versions. Make sure to publish the drivers with your Linux kernel (get them in the main tree if possible), and laugh while developers adopt your architecture.
Once you have the developers, getting users is just a matter of time. Be sure to use your first mover advantage wisely, and sell the company before the market get completely comodityzed.
Rethinking email
IIS has an 18% market share and something like 90% of successful breakins to web servers are done against IIS servers. Roughly 80% of the webserver market is running linux.
When's the last time you saw google get hacked? They run a custom OS built on top of linux. Facebook runs linux on their servers. All of the top supercomputers in the world run linux, 80% of the top 500 run linux. I don't remember the last time anyone ever said a supercomputer was hacked, do you?
If you want to point out these rootkits and exploits, feel free to show me them. I would be amazed that any major exploit for a linux OS would not have been patched quickly.
The only real way of breaking into a linux system that I know of is to have physical access to the computer or to have a bad sysadmin.
Linux is already taking hold in pretty much every market except desktops...
Servers
Phones (Android, also WebOS/Meego)
HPC (see the top500 list)
Embedded devices like routers, set top boxes, televisions, voip phones etc...
Many people these days have more linux devices in their house than they do windows, and don't even realise it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I really hate to side with the Mac user, but he's right... his Mac *is* far more open than Windows, and has *far* more support from Apple in installing an alternative OS than Microsoft ever gives.
That, however, is because Apple is a hardware vendor, and they throw the OS in on the side. Microsoft is an OS vendor. It's not in Microsoft's interest to allow you to install something different, but it *is* in Apple's interest to give you that option.
iOS != OSX. They have a similar core, and come from the same people, but they serve entirely different purposes.
even Android manufacturers lock down their devices with similar technologies because it makes the devices secure. Why is[SIC] Microsoft allowed to do the same
That's the difference right there. Phone manufacturers lock down their devices. Android doesn't require it. Microsoft is dictating to the manufacturer that they must lock it down. They probably would anyway, so I don't why Microsoft feels compelled to tell them what to do. Hopefully, they will just backlash and not bother with MS.
/. bitches about Windows security and then when MS does something they bitch about that. No Linux fan ever said MS should lock down hardware, they say MS should control what the software that runs under MS OS should be able to do, not lock down the hardware. A shill is not to be taken at face value.
And it's not a valid comment. The OP posits that
But if someone says 12 is 6 of one and a half a dozen of the other does it make it wrong if you don't like the company?
Lets be honest and cut the bullshit folks, we're all geeks and adults, yes? There are TWO VERY LEGITIMATE REASONS for doing this that even the blind would be able to see. 1.- After seeing how badly Google has been getting pwned with Android malware the LAST thing MSFT wants is to be the easily pwned OS in this new market, and 2.- the REAL reason I'm willing to bet my last buck they are doing this....ready? PIRACY. Not only is MSFT Windows most likely the most highly pirated software on the entire planet but we've already seen pirated phone apps all over the web. by locking down their OS and hardware this gives them a better platform for those that want to sell phone apps, think X360. yes we all know there are pirate X360s out there but it means you have to have two systems, the cracked and the legit and most folks simply aren't gonna go through that much bullshit. I'm sure MSFT will have special keys which will be tied to the OS and hardware so that those selling apps on windows market know they aren't gonna get pirated without them doing some serious hardware hacking which the vast majority won't do for fear of bricking.
Finally the most important thing which will probably piss off the fanbois but seriously, who gives a flying fuck? Its not like MSFT is gonna sell jack shit when it comes to Windows 8 on ARM anyway because the whole damned selling point of Windows is WINDOWS PROGRAMS which are all x86. Has everyone forgotten WinNT on Alpha and MIPS? Remember how quick and how hard that shit bombed? Why would you want Windows if you can't run Windows programs? Its not like you can just recompile those 300,000+ programs for Windows to run on ARM now can you? Apple can change arches because the programs people buy Apple devices for, your iMovie and iDVD and Garageband and iTunes are all written by guess who? The ONLY thing MSFT has besides the OS is Office, big whoop. Everything else is by some third party and most won't bother because there are literally a billion Windows boxes they can sell for that run x86 and they don't have to change a line of code, so why waste the money on a niche platform MSFT has already struck out on not once, not twice, but THREE times now, first WinMo then Kin followed by WinPhone...see a pattern?
Personally they can have it written that you can't use Win 8 for ARM unless you watch Ballmer do his monkey dance for all that its gonna matter, its gonna bomb, YOU know it, I know it, hell everybody knows it! Everyone will stick with iShiny and those cute little dancing droids. There is ONE nice thing though, after this shit bombs we'll be getting Win 8 pads at Touchpad prices and if you end up with a $500 winPad for the firesale prices the touchpad went for are you REALLY gonna give a shit what it runs?
ACs don't waste your time replying, your posts are never seen by me.
What they do is not secret: http://waggeneredstrom.com/about/approach
Monitoring conversations, including those that take place with social media, is part of our daily routine; our products can be used as early warning systems, helping clients with rapid response and crisis management.
Microsoft are No 3 on their client list
http://waggeneredstrom.com/clients
DavidSell ByOhTek antitithenai, Bonch, Dtech and others are psuedonyms/sockpuppets used by the team to "guide" discussions.
Intel's new Medfield Atom will run Android phones and tablets, Tizen devices, Win 8 tablets and (if MSFT get's their head screwed on correctly) Win Phone. Since the underlying firmeware environment in the medfield platforms is driven by Intel's reference design, MSFT will not be able to dictate whether other OSes can boot any more than they can in the rest of the x86 world. (Assuming OEMs will be smart enough to let customers control UEFI authentication)
a) OP's points are still wrong. You don't need to lock the hardware to one OS in order to prevent malware. Car analogy? No problem: It's like saying that the tire rims must be welded onto the wheels in order to prevent tire slashing. The OS (tires) can still be compromised no matter what you do to the underlying hardware, so the whole argument becomes one great big false premise.
b) there's no way to tell for certain, but it does happen a lot: http://waggeneredstrom.com/clients
c) Dude did do it incompetently. He's not a subscriber, yet there's a whole novella waiting mere moments after the story is posted publicly. His posting history also shows an incredibly strong pro-Microsoft bias, even to the point of nonsense at times.
d) see c)
As for the rest? Certainly you don't need WHQL certification to run drivers on Windows - but Joe Public will see a buttload of bells and alarms warning him if he tries to install it.
There are no major security reasons for doing it - period. Once someone has physical access, it's game-over anyway - no matter how hard you think you can lock it down.
HTH a little. /P
Quo usque tandem abutere, Nimbus, patientia nostra?
Couple 'o Points:
1.- After seeing how badly Google has been getting pwned with Android malware the LAST thing MSFT wants is to be the easily pwned OS in this new market, and 2.- the REAL reason I'm willing to bet my last buck they are doing this....ready? PIRACY.
1. Android's malware woes weren't all (or even mostly) tied to the boot sector, so this makes no sense.
2. Err, how on Earth is locking the boot sector going to stop piracy? I may be missing something here, but seriously? Not seeing it.
As for the rest, I largely agree, except for one bit:
There is ONE nice thing though, after this shit bombs we'll be getting Win 8 pads at Touchpad prices and if you end up with a $500 winPad for the firesale prices the touchpad went for are you REALLY gonna give a shit what it runs?
The fact that Android on the HP TouchPad was hurriedly pushed out and then widely broadcast says otherwise. The reason? An unsupported OS/arch means no new applications, no updates for existing ones (after awhile), and you;re basically stuck with something that becomes obsolete faster. Seems like a total waste of hardware after awhile.
Quo usque tandem abutere, Nimbus, patientia nostra?
The right question is why Microsoft is interested in Adjustable Rate Mortgages in the first place.
http://www.geoffreylandis.com